b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n        ECONOMICS AND STATISTICS\n                ADMINISTRATION\n\n     Additional Security Measures Needed for\n     Advance Retail Sales Economic Indicator\n\n\n\n\n   Final Inspection Report No. OSE-12754/September 2001\n\n\n\n\n                            PUBLIC\n                            RELEASE\n\n\n\n                        Office of Systems Evaluations\n\n\x0cU.S. Department of Commerce                                                                    Final Inspection Report OSE-12754\n\nOffice of Inspector General                                                                                       September 2001\n\n\n\n                                                 TABLE OF CONTENTS\n\n\nEXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i \n\n\nINTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 \n\n\nBACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 \n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 \n\n\nFINDINGS AND RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 \n\n\nI.\t       Application Controls Should Be Strengthened . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 \n\n\n          A.\t       Physical access controls for servers on the LAN are reasonable, but\n\n                    guidance for personnel access to branch spaces needs improvement . . . . . . . . . . 9 \n\n          B.\t       Logical access controls are appropriate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 \n\n          C.\t       Application software change control is informal and lacks documented \n\n                    procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 \n\n          D.\t       Auditing software has not been regularly used during lockup . . . . . . . . . . . . . . . 13 \n\n          E. \t      Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 \n\n\nII.\t      Management Controls Over Personnel Security Need to Be Strengthened . . . . . . . . . . . 15 \n\n\n          A.\t       Employees have not had appropriate background investigations . . . . . . . . . . . . 18 \n\n          B. \t      Risk levels for positions have not been properly assigned . . . . . . . . . . . . . . . . . 19 \n\n          C.\t       Guidance concerning legal and ethical restrictions on investments based on\n\n                    advance knowledge is not adequate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 \n\n          D.        Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 \n\n\nAPPENDIXES\n\n\n          A.\t       Purpose and Critical Elements of Major Categories of FISCAM General Controls\n\n          B.        BLS Commissioner\xe2\x80\x99s Order No. 1-00\n\n\nATTACHMENT \n\n\n          A.\t       ESA\xe2\x80\x99s and Census Bureau\xe2\x80\x99s Response to Draft Inspection Report (excluding\n                    attachments to the response)\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-12754\n\nOffice of Inspector General                                                            September 2001\n\n\n\n                                   EXECUTIVE SUMMARY\n\nTwo bureaus within the Economics and Statistics Administration, the Census Bureau and the\nBureau of Economic Analysis, develop Principal Federal Economic Indicators, which are major\nstatistical series that describe the current condition of the nation\xe2\x80\x99s economy. Because these\nindicators have significant commercial value, may affect the movement of commodity and\nfinancial markets, and may be taken as a measure of the impact of government policies, no\ninformation associated with them should be disclosed before their official release time. Many\nindicators are based on confidential data voluntarily provided by businesses, which also must be\nprotected. Thus, maintaining the security of the indicators throughout the preparation and release\nprocess is of utmost importance.\n\nThis report presents the results of our evaluation of the security of the Census Bureau\xe2\x80\x99s Advance\nRetail Sales Principal Federal Economic Indicator. The bureau\xe2\x80\x99s indicators are the responsibility\nof the Associate Director for Economic Programs. We selected this indicator for evaluation\nbecause of its high degree of importance and sensitivity.\n\nWhen initial estimates of the Advance Retail Sales indicator become available, bureau staff\noperate in a \xe2\x80\x9clockup,\xe2\x80\x9d or secure, mode in order to safeguard the estimates, which are refined over\na period of several days. ESA is responsible for releasing the indicators to the public. It provides\nthe indicator information to reporters from various news organizations 30 minutes before the\nofficial release time in a secure press room (lockup facility) and allows the reporters to prepare\nstories that are transmitted to their news organizations at the official release time. After its\nofficial release, the information is also made available to the public on the ESA and Census\nBureau web sites.\n\nThe objective of our evaluation was to determine whether ESA and the Census Bureau have\nadequate internal controls to prevent the premature or unauthorized disclosure or use of Advance\nRetail Sales economic indicator data before it is released to the public. We evaluated the\neffectiveness of (1) application controls associated with information technology resources used to\nprepare the indicator and (2) management controls over personnel security for Census Bureau\nand ESA staff having advance knowledge of the indicator.\n\nThe bureau\xe2\x80\x99s access controls appropriately establish individual accountability and limit the\nprocessing privileges of individuals. In addition, physical access controls for servers used to\ndevelop the indicator are reasonable. However, other aspects of application controls should be\nstrengthened, and management controls over personnel security need to be improved:\n\n\xe2\x80\xa2\t     Guidance for personnel access to branch spaces needs improvement. The procedures\n       for access to branch spaces during lockup do not state explicitly that branch members are\n       required to use only the designated controlled access door or address measures to protect\n       information when personnel who are not authorized access to sensitive data require\n\n                                                 i\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-12754\nOffice of Inspector General                                                            September 2001\n\n\n       admittance to branch spaces. We recommend that the procedures be modified to address\n       these omissions. (See page 9.)\n\n\xe2\x80\xa2\t     Application software change control is informal and lacks documented procedures.\n       Although a process is in place for requesting changes to the application software, there\n       are no written procedures for making the changes and performing and documenting\n       appropriate tests on the modified software to ensure that only authorized changes are\n       made. We recommend that procedures for software change control be developed in\n       accordance with bureau and Department guidance. (See page 12.)\n\n\xe2\x80\xa2\t     Auditing software has not been regularly used during lockup. When audit logs were\n       available, they were not used regularly to monitor access to the indicator data. As a result\n       of a recent upgrade to the operating system of the server where the indicator data is\n       stored, the audit logs cannot be provided in the format required by the audit application\n       program, so these logs will not be available until this program is replaced. We\n       recommend that a commercially available audit application be selected and installed as\n       soon as possible and that written procedures and training on its use be provided. (See\n       page 13.)\n\n\xe2\x80\xa2\t     Employees have not had appropriate background investigations, and risk levels\n       have not been properly assigned. Only one of three employees associated with\n       Advance Retail Sales in positions classified as moderate risk have undergone the\n       appropriate background investigation required by the Office of Personnel Management\n       (OPM); the other two have undergone less intensive investigations. The Office of\n       Security could not identify the type of investigation done, if any, for the majority of the\n       positions classified as low risk in another division of the Economic Directorate. Two\n       persons designated as alternate ESA press room lockup directors also have not undergone\n       appropriate background investigations. Furthermore, risk levels assigned to some\n       positions are inconsistent with their levels of responsibility and trust. We recommend\n       that appropriate background investigations be completed for all employees having pre\n       release knowledge of economic indicator data and that position sensitivity classifications\n       be reassessed to ensure that they reflect the appropriate level of responsibility and trust in\n       accordance with OPM guidance. (See page 18.)\n\n\xe2\x80\xa2\t     Guidance concerning legal and ethical restrictions on market investments based on\n       advance knowledge is not adequate. Census Bureau and ESA employees who have\n       access to pre-release indicator data are not provided written guidance regarding the legal\n       and ethical restrictions on investing in financial markets based on advance information.\n       We recommend that specific guidance be provided on how the Standards of Ethical\n       Conduct for Employees in the Executive Branch restrict employees\xe2\x80\x99 ability to engage in\n       certain financial transactions with knowledge of pre-release economic indicator data.\n       (See page 19.)\n\n                                                 ii\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-12754\nOffice of Inspector General                                                            September 2001\n\n\nIn our efforts to identify the criteria that are used to determine appropriate risk levels and their\nassociated background investigations, we noted a lack of guidance from the Department\xe2\x80\x99s Office\nof Human Resources Management and the Office of Security, suggesting that the issue of\nappropriate risk levels and background investigations may exist elsewhere in Commerce. We\nhave addressed this issue in our report, Program for Designating Positions According to Their\nRisk and Sensitivity Needs to Be Updated and Strengthened, Draft Inspection Report No. OSE\n14486/August 2001, which includes recommendations for the Department to provide to operating\nunits updated guidance for determining appropriate risk levels and their associated background\ninvestigations.\n\n\n\nESA and the Census Bureau have agreed with and are taking steps to implement all of our\nrecommendations. Our recommendations, which begin on page 13 and page 20, include a\nsynopsis of their response and our comments on the response, where appropriate.\n\nIn particular, the bureau has indicated that positions held by all personnel working on indicator\nsurveys would be designated as moderate risk, based on discussions with the OIG. However, our\nintent was not to specify a particular designation, but rather to point out that designations should\nbe based on the level of the position\xe2\x80\x99s responsibility and trust in accordance with guidance from\nthe bureau\xe2\x80\x99s Human Resources Division.\n\nSince we completed our work on the Advance Retail Sales indicator, the Department\xe2\x80\x99s Office of\nSecurity and Office of Human Resources Management have agreed to provide to operating units\nupdated guidance for determining appropriate risk levels and their associated background\ninvestigations. Therefore, the bureau\xe2\x80\x99s Human Resources Division needs to ensure that its\nefforts to implement our recommendations are consistent with the Department\xe2\x80\x99s forthcoming\nguidance.\n\nThe response of ESA and the Census Bureau, excluding its attachments, is included as\nAttachment A.\n\n\n\n\n                                                 iii\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-12754\n\nOffice of Inspector General                                                            September 2001\n\n\n\n                                       INTRODUCTION\n\nThis report presents the results of our evaluation of the security of the Census Bureau\xe2\x80\x99s Advance\nRetail Sales Principal Federal Economic Indicator, one of the major statistical series that describe\nthe current condition of the economy of the United States. Principal Federal Economic\nIndicators are developed not only by the Department of Commerce, but also by the Departments\nof Agriculture, Labor, and the Treasury, and the Federal Reserve Board, and include the Gross\nDomestic Product, U.S. International Trade in Goods and Services, Farm Sector Income,\nUnemployment Rate, Consumer Price Index, World Agricultural Production, and Consumer\nInstallment Credit.\n\nThese indicators are widely watched and heavily relied upon by government and the private\nsector for an understanding of the current condition and future direction of the nation\xe2\x80\x99s economy.\nThey have significant commercial value, may affect the movement of commodity and financial\nmarkets, and may be taken as a measure of the impact of government policies. The indicators are\ncompiled, released, and periodically evaluated by the various agencies in accordance with Office\nof Management and Budget (OMB) Statistical Policy Directive No. 3, which provides procedures\nto ensure that the indicators meet specific accuracy, release, and accountability standards.\n\nDepartment of Commerce Principal Federal Economic Indicators\n\nFor the Department of Commerce, two bureaus within the Economics and Statistics\nAdministration are responsible for developing Principal Federal Economic Indicators. The\nBureau of Economic Analysis develops such indicators as the Gross Domestic Product,\nCorporate Profits, and Personal Income and Outlays indicators. The Bureau of the Census\ndevelops indicators that include Advance Retail Sales, Housing Starts and Building Permits, and\nWholesale Trade.\n\nIn keeping with OMB\xe2\x80\x99s directive, ESA publishes a yearly schedule of the time and date that each\nof its indicators will be officially released to the public. ESA releases the indicators from a\nsecure press room (referred to as the \xe2\x80\x9clockup\xe2\x80\x9d facility). Security is needed because OMB\xe2\x80\x99s\ndirective requires agencies to ensure that no information or data estimates associated with the\nindicators are disclosed before the official release time.\n\n\n\n\n                                                 1\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-12754\n\nOffice of Inspector General                                                          September 2001\n\n\n\n                                       BACKGROUND\n\nThe Census Bureau\xe2\x80\x99s Associate Director for Economic Programs is responsible for developing\nthe bureau\xe2\x80\x99s Principal Federal Economic Indicators. Within this directorate (referred to as the\nEconomic Directorate), the Service Sector Statistics Division\xe2\x80\x99s Retail and Wholesale Indicators\nBranch develops the Advance Retail Sales indicator.\n\nAdvance Retail Sales Economic Indicator\xe2\x80\x94General Background\n\nThe Advance Retail Sales indicator is released to the public in the Advance Monthly Retail Sales\nReport. This report contains the advance sales estimates for the reporting month and preliminary\nsales for the previous month by type of business, such as automotive dealers, furniture and home\nfurnishings stores, food stores, eating and drinking places, and gasoline service stations. It\nincludes both seasonally adjusted and unadjusted data and is typically released on the ninth\nbusiness day of the month following the month to which the report applies. For example, the\nindicator for April is released on the ninth business day of May.\n\nThis indicator is widely used by government, academic, and business organizations. It is an input\nto developing the Gross Domestic Product, is used by the Council of Economic Advisors for\neconomic policy analysis, and provides the Federal Reserve Board a basis for anticipating\neconomic trends. For instance, lower-than-expected sales figures could be seen as an indication\nof a weakening economy and hence portend higher bond prices. The news media regularly report\non this indicator and use the estimates for performing economic analyses. Businesses use the\nestimates to gauge how well they are performing and to predict future demand for their products,\nand financial analysts and market research organizations use the data to analyze market trends\nand forecast the direction of the economy.\n\nAdvance Retail Sales\xe2\x80\x94Development Process\n\nThe timeline for development and release of the Advance Retail Sales indicator is presented in\nFigure 1. Data for developing the indicator is collected through the Advance Monthly Retail\nSales Survey. Near the end of the month for which the indicator is to be developed, survey forms\nare either mailed or sent by facsimile to a sub-sample of about 4,100 participating businesses\nselected from the Monthly Retail Trade Survey sample of more than 12,000 businesses.\nBusinesses participate on a voluntary basis and are afforded confidentiality by the bureau as\nrequired by Title 13 of the United States Code.\n\n\n\n\n                                               2\n\n\x0c    End of reporting month\n\xe2\x80\xa2 Mail or fax Advance Retail                            2nd \xe2\x80\x946th day of next month                            5th \xe2\x80\x946th day of next month\n  Sales Survey forms to the                         \xe2\x80\xa2 Key response data                                      \xe2\x80\xa2 Edit and tabulate data\n  4,100 participating businesses                    \xe2\x80\xa2 Follow up by phone, if needed\n\n                                                                                                      Begin secure operations (\xe2\x80\x9clockup\xe2\x80\x9d)\n\n\n                                  7th day of next month\n                                                                                              7th\xe2\x80\x948th day of next month\n                           \xe2\x80\xa2 Develop preliminary indicator\n                                                                                     \xe2\x80\xa2 Review preliminary indicator values\n                             values\n                                                                                     \xe2\x80\xa2 Validate final indicator values\n                           \xe2\x80\xa2 Prepare preliminary public\n                                                                                     \xe2\x80\xa2 Prepare final public release reports\n                             release reports\n\n\n\n\n                                                                                                             9th day of next month\n                                                     th\n                                                   8 day of next month                                 \xe2\x80\xa2 Officially release indicator\n                                               \xe2\x80\xa2 Send report to Council of                               (ESA)\n                                                 Economic Advisors                                     \xe2\x80\xa2 Post reports on public ESA and\n                                                                                                         Bureau web sites\nNotes:   All days refer to workdays.\n         All activities are performed by the Census Bureau, with the exception of release by\n         ESA.\n\n\n\n\n                       Figure 1. Timeline for Development and Release of Advance Retail Sales Indicator\n\n\n\n\n                                                                           3\n\n\x0cU.S. Department of Commerce                                       Final Inspection Report OSE-12754\nOffice of Inspector General                                                          September 2001\n\n\nCompleted survey forms are returned either by mail or facsimile to the National Processing\nCenter (NPC) in Jeffersonville, Indiana, where response data is keyed starting on the second\nworkday of the following month. Data keying continues during the third through sixth workdays,\nwhen telephone follow-up is used to obtain information from those businesses whose responses\nwere not provided via mail or facsimile, or included information that needed clarification.\n\nEditing and tabulation of the survey data begin on the fifth workday, and at this point, initial\nestimates of the indicator values become available. Consequently, starting on the fifth workday\nand extending through the release on the ninth workday, the Retail and Wholesale Indicators\nBranch staff operates in a lockup, or secure, mode in order to safeguard the evolving estimates.\nDuring the morning of the seventh workday, branch staff develop finalized indicator values and\nprepare reports for public release. The finalized numbers are subject to change during the\nvalidation and review process performed by management and staff. The remainder of the seventh\nday and the eighth day are spent on validating the final values and preparing materials for public\nrelease. Late on the afternoon of the eighth day, the report is sent to the Council of Economic\nAdvisors by secure facsimile.\n\nAt 7:45 a.m. on the ninth workday, managers from the Retail and Wholesale Indicators Branch\ndeliver final distribution copies of the Advance Monthly Retail Sales Report and diskettes\ncontaining the report to the ESA lockup director or a designated alternate. At 8:00 a.m., in a\nlocked office, the managers brief the Department\xe2\x80\x99s Under Secretary for Economic Affairs,\nDeputy Under Secretary for Economic Affairs, and Chief Economist. The office where the\nbriefing is held remains locked until 8:30 a.m., the official release time. The information is\nofficially released through the ESA press room, and the report is then made available to the\npublic on the ESA and Census Bureau web sites.\n\nPrincipal Economic Indicator Release Process\n\nOn the date that an indicator is scheduled for release, reporters from various authorized news\nservices may enter the lockup facility, located at Department headquarters in Washington, D.C.,\none hour before the official release time. Until one half hour before release time, reporters may\nuse their computer and communications equipment housed in the lockup facility or brought with\nthem to establish communications with the external news service systems that will receive the\nindicator data. One half hour before release time, reporters are required to break off\ncommunications with their external systems. The door is locked, and nobody may enter or leave\nthe facility until after official release of the indicator. The ESA lockup director distributes\nhardcopy reports and diskettes containing the indicator data to the reporters, who may ask\nquestions about the information and prepare stories for transmission to their external systems.\nCommunications are reestablished at the release time.\n\n\n\n\n                                                4\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-12754\nOffice of Inspector General                                                           September 2001\n\n\nIncidents During the Release Process Have Prompted Tighter Controls by ESA\n\nIn February 2000, the New Home Sales indicator was released to one reporter\xe2\x80\x99s remote site\nnearly 30 minutes early, and in April 2000, a story on the Trade Deficit indicator for a different\nnews service appeared on the service\xe2\x80\x99s web site with a time stamp three minutes earlier than the\nofficial release time. We assessed these incidents and found that the first release occurred\nbecause, until recently, communications were provided by individual electronic switches\nconnected to the reporters\xe2\x80\x99 computers, which the reporters controlled themselves under the\nscrutiny of ESA personnel. In this instance, the communications line had been disconnected\nfrom the switch and directly connected to the reporter\xe2\x80\x99s computer during maintenance and had\nnot been reconnected to the switch. Neither the reporter nor ESA personnel were aware of this.\nThe information was transmitted when the reporter inadvertently pressed the return key while\ndirectly connected to the remote system. In the case of the early time stamp, we found that the\nclock on the reporter\xe2\x80\x99s personal computer was three minutes fast, and the web server posting the\nstory used that time, giving the appearance of an early release. Because of these incidents, ESA\nhas taken measures to improve security in order to preclude the actual or perceived early release\nof indicators.\n\nImportant among these measures is that ESA has transferred the responsibility for breaking off\ncommunications with external systems from the individual reporters to the ESA lockup director\nto minimize the chances of an early release. For each news service, ESA has installed a\ncommunications switch whose power source is controlled by a master power switch operated by\nthe ESA lockup director. In addition, ESA now requires all reporters to ensure that the clocks on\ntheir personal computers are synchronized to Naval Observatory time to avoid having incorrect\ntime stamps associated with news stories and thereby giving the perception of an early release of\nindicator data.\n\nInformation Technology Resources\n\nThe Retail and Wholesale Indicators Branch staff uses the information technology resources\nprovided by the Economic Directorate\xe2\x80\x99s local area network (LAN) to produce the monthly\nAdvance Retail Sales indicator. Staff from the Economic Statistical Methods and Programming\nDivision (ESMPD) within the Economic Directorate is responsible for security and system\nadministration of the LAN. The bureau has identified the LAN as a general support system in\naccordance with criteria provided by OMB Circular A-130, Appendix III. The LAN was\naccredited as a sensitive, but unclassified, system in August 2000. The general support security\nplan for the LAN identifies the Advance Retail Sales indicator as one of several production\napplications supported by the LAN.\n\nDuring the monthly survey collection phase, branch staff access the survey data, which are keyed\nby bureau personnel and stored on a primary server and a backup server located at NPC. An\nadditional backup server, which is accessible via the LAN, is also maintained at bureau\n\n                                                 5\n\n\x0cU.S. Department of Commerce                                      Final Inspection Report OSE-12754\nOffice of Inspector General                                                         September 2001\n\n\nheadquarters. Branch staff analysts access the NPC server from personal computers connected to\nthe Economic Directorate\xe2\x80\x99s LAN. They perform edit and tabulation operations on the data,\nwhich is transferred over a secure connection between NPC and bureau headquarters.\n\nStaff analysts also use the NPC server to generate ratios that serve as input to time-series and\nseasonal adjustment programs that are run from LAN personal computers on a Unix server at the\nbureau\xe2\x80\x99s Computer Center in Bowie, Maryland, to provide successively refined estimates of the\nindicator values. The Bowie facilities are accessed from bureau headquarters via a secure\nconnection. Applications developed by the bureau are used to generate the final indicator values\nand commercially available application programs are used to prepare the associated publications,\nwhich are stored on a server at bureau headquarters.\n\n\n\n\n                                               6\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-12754\n\nOffice of Inspector General                                                            September 2001\n\n\n\n                      OBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objective of this evaluation was to determine whether ESA and the Census Bureau have\nadequate internal controls to prevent the premature or unauthorized disclosure or use of Advance\nRetail Sales economic indicator data before it is released to the public via the ESA press release\nroom. We selected the Advance Retail Sales indicator as the subject of this evaluation because\nof its importance to government, academic, and business organizations in their efforts to analyze\neconomic policy, anticipate economic trends, predict demand for products, and forecast the\ndirection of the economy.\n\nOur field work was performed between July 2000 and April 2001. During this time, we\nreviewed written policies and procedures and identified the controls over the analysis,\nprocessing, and reporting of Advance Retail Sales data. We interviewed Census Bureau officials\nand staff and observed the procedures used to prepare the Advance Retail Sales estimates. In\naddition, we used the General Accounting Office\xe2\x80\x99s (GAO) Federal Information System Controls\nAudit Manual (FISCAM) as guidance to evaluate the effectiveness of controls associated with\ninformation technology resources used to prepare the Advance Retail Sales indicator. We also\nevaluated the management controls over personnel security for both the Census Bureau staff\ninvolved in preparing the indicator and ESA staff involved in releasing it.\n\nWe had originally planned to evaluate the general controls in place for the Economic\nDirectorate\xe2\x80\x99s LAN. General controls are the structure, policies, and procedures that apply to an\nentity\xe2\x80\x99s overall computer operations and establish the environment in which application systems\nand controls operate. FISCAM identifies six major categories of general controls, with each\ncategory having an associated set of critical elements, and includes tables that provide guidance\nfor assessing the effectiveness of the critical elements. Appendix A shows FISCAM\xe2\x80\x99s major\ncategories of general controls, their purpose, and their critical elements.\n\nAs we were planning our evaluation, the bureau contracted for an information security risk\nassessment of its systems. The contractor decided to include the Economic Directorate\xe2\x80\x99s LAN\nand to use the National Security Agency\xe2\x80\x99s Information Security Assessment Methodology, which\nis similar to FISCAM. To avoid duplication of effort, we focused on application controls for the\nAdvance Retail Sales application rather than on general controls for the LAN. The general\ncontrol issues that the contractor raised have been resolved.\n\nApplication controls are the structure, policies, and procedures that apply to separate, individual\napplications systems, such as Advance Retail Sales and the other economic indicators, identified\nas applications in the General Support Security Plan for the LAN. An application system is\ntypically a group of individual computer programs that relate to a common function, such as\ndevelopment of an economic indicator. Our evaluation of application controls is consistent with\nGAO\xe2\x80\x99s approach to application controls reviews, which emphasizes determining whether\ncontrols are in place to ensure that access privileges establish individual accountability and\n\n                                                 7\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-12754\nOffice of Inspector General                                                            September 2001\n\n\nproper segregation of duties, limit the processing privileges of individuals, and prevent and detect\ninappropriate or unauthorized activities. To accomplish this, we used the appropriate FISCAM\ntables relating to the access controls major category of general controls. In particular, for the\nAdvance Retail Sales application, we evaluated logical access controls, physical access controls,\nand the use of system auditing to facilitate monitoring of file access, investigating apparent\nsecurity violations, and taking appropriate remedial action. Furthermore, we evaluated the\neffectiveness of the software change control process as it relates to preventing and detecting\ninappropriate or unauthorized activities.\n\nWe held an exit conference with the Census Bureau on June 26, 2001. Prior to the exit\nconference, we discussed the information contained in this report with the Deputy Under\nSecretary for Economic Affairs and the bureau\xe2\x80\x99s Associate Director for Economic Programs.\nESA and Census Bureau officials generally agreed with our findings and have already begun to\nimplement some of our recommendations.\n\nOur evaluation was conducted in accordance with the Quality Standards for Inspections issued\nby the President\xe2\x80\x99s Council on Integrity and Efficiency, and was performed under the authority of\nthe Inspector General Act of 1978, as amended, and Departmental Organization Order 10-13,\ndated May 22, 1980, as amended.\n\n\n\n\n                                                 8\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-12754\n\nOffice of Inspector General                                                            September 2001\n\n\n\n                          FINDINGS AND RECOMMENDATIONS\n\nI.\t    Application Controls Should Be Strengthened\n\nLogical access controls afford appropriate protection for development of the Advance Retail\nSales indicator. These controls establish individual accountability, limit the processing\nprivileges of individuals, and establish reasonable physical access controls for servers used in the\ndevelopment of the indicator. However, guidance on physical access to branch spaces during\nlockup needs to be clarified, software change control procedures need to be improved, and\nauditing software for detecting inappropriate access to resources on the server that contains final\nindicator information has not been used regularly.\n\nA.\t    Physical access controls for servers on the LAN are\n       reasonable, but guidance for personnel access to\n       branch spaces needs improvement\n\nPhysical access controls include locks, security guards, badges, alarms, and similar measures that\nhelp to safeguard computer facilities and resources from loss or impairment by limiting access to\nbuildings and rooms where they are housed. The servers that are part of the Economic\nDirectorate\xe2\x80\x99s LAN, as well as the servers in Bowie and NPC, which are accessed by analysts\nduring development of the Advance Retail Sales indicator via the LAN, are housed in locked\nrooms to which access is physically restricted to only explicitly authorized personnel. In\naddition, access to branch office spaces during lockup is controlled in accordance with\nestablished procedures.\n\nThe Economic Directorate\xe2\x80\x99s Procedures for Internal Control of Economic Indicator Data Prior\nto Press Release Time requires printed material containing sensitive data to be stored in locked\ncontainers within branch spaces at the end of each workday and when not in use during the day.\nAs an additional measure to prevent unauthorized access to sensitive economic data, staff from\nthe Retail and Wholesale Indicators Branch ensure that printed reports are directed only to\nprinters within the branch spaces.\n\nThe procedures contain a section titled, \xe2\x80\x9cOffice Security Procedures,\xe2\x80\x9d which specifies the process\nfor ensuring that only authorized personnel have access to branch spaces where aggregate data\nare prepared. This document specifically states:\n\n       \xe2\x80\x9cAll offices housing unpublished sensitive economic data will have controlled\n       access for a fixed period of time to be established by the Branch Chief. During\n       the period of time needed to prepare the release, no admission to the local branch\n       areas where the aggregate data are prepared, will be permitted to unauthorized\n       personnel. Formal notices, in English and Spanish, must be displayed at normal\n       entry points to read:\n\n\n                                             9\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-12754\n\nOffice of Inspector General                                                           September 2001\n\n\n\n\n           NO ADMITTANCE/AUTORIZADO PERSONAL UNICAMENTE\n\n       During this time, the Branch Chief will designate only one entry point to the\n       branch, which will be in compliance with fire regulations. A monitor is to be\n       stationed close to the entry point to ensure enforcement of the \xe2\x80\x9cno admittance\xe2\x80\x9d\n       policy. A sign-in/sign-out log will be maintained for non-branch personnel\n       entering the area.\xe2\x80\x9d\n\nDuring our evaluation, we observed two days of the Advance Retail Sales lockup process for the\nSeptember 2000 release. When we arrived at the designated branch access point, appropriate\nsigns were posted on the doors, and we were required to sign a log upon entry. In addition, we\nnoted several occasions when non-branch personnel, who also regularly participate in the\ndevelopment of the indicator, signed the log as required upon entry to and exit from branch\nspaces. However, while observing the lockup process, we noted that a branch staff member\nexited the branch spaces through a doorway that was not designated as the access door and\nshortly afterward re-entered through the same door. This door was locked from the inside and\nrequired the use of a key to re-enter, and a \xe2\x80\x9cNO ADMITTANCE\xe2\x80\x9d sign was appropriately posted\non the outside of the door.\n\nThe branch manager later confirmed that branch members, as well as authorized visitors, should\nuse only the designated controlled access door to enter and exit the branch area during lockup.\nWe believe that the procedures contained in the \xe2\x80\x9cOffice Security Procedures\xe2\x80\x9d section of the\ninternal control procedures should be modified to state explicitly that branch members are\nrequired to use only the controlled access door to enter and exit the branch area during lockup\nand that branch members should be reminded of this requirement. Explicitly stating and\nrigorously enforcing access requirements will increase the assurance that branch employees are\nnot engaged in unauthorized disclosure of information. Strict enforcement will also ensure that\nnormal entry points, which are locked at the start of a lockup period, remain locked. If a branch\nmember were to exit through a locked door and that door would fail to close tightly, it could\nprovide unauthorized persons an entry point to branch spaces and access to sensitive economic\ndata.\n\nFinally, we learned that occasionally personnel who are not authorized access to sensitive\nindicator data require access to branch spaces during lockup to repair copiers or perform other\nmaintenance-related services. In these cases, the branch manager or supervisor ensures that a\nmember of the branch accompanies such visitors and takes measures to prevent unauthorized\naccess to sensitive data. However, the directorate\xe2\x80\x99s internal controls document does not\nexplicitly address protecting information when such visitors require access to branch spaces\nduring lockup, and we believe that it should.\n\n\n\n\n                                                10\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-12754\nOffice of Inspector General                                                           September 2001\n\nB.     Logical access controls are appropriate\n\nLogical access controls involve the use of computer hardware and security software to prevent or\ndetect unauthorized access to resources by requiring users to provide unique user identifications,\npasswords, or other identifiers that afford predetermined privileges to access specific resources.\nThese controls are used to restrict the access of legitimate users to specific systems, programs,\nand files needed to conduct their work, and to prevent unauthorized users from gaining access to\ncomputing resources. We found that ESMPD follows appropriate bureau-wide procedures\npertaining to logical access controls as specified in the bureau\xe2\x80\x99s Handbook for Information\nTechnology Security and the general support security plan for the LAN.\n\nAccess to LAN-based computing resources by branch analysts is controlled by unique user\nidentification and password combinations, which are initially assigned and periodically changed\nin accordance with bureau-wide procedures. Users can access the LAN only if they have been\nassigned a valid user identification and password combination and can access only those servers\nfor which they have been provided user identification and password combinations. Passwords\nare required to contain a specified minimum number of alphabetic and non-alphabetic characters.\nIn addition, users are required to change their passwords upon initially logging on to a system\nand every 30 days thereafter. Password history files are maintained to ensure that passwords\ncannot be reused for at least 12 months.\n\nWhenever any user makes a certain number of consecutive unsuccessful attempts to log on to a\nsystem, the LAN system administrators are notified, and subsequent log-on attempts from the\nuser\xe2\x80\x99s account are disabled until an administrator reinstates the log-on capability. This\nmechanism allows an administrator to determine the cause of the access failure and to verify the\nuser\xe2\x80\x99s identity before granting further access. For the Advance Retail Sales indicator, an extra\nlevel of access control is provided by the computer program used for editing and tabulating\nsurvey data, which is an additional user identification and password to enable access to the\nparticularly sensitive survey data.\n\nSupervisors within the Retail and Wholesale Indicators Branch follow bureau-wide procedures to\nobtain LAN and server access for newly hired staff, as well as to deactivate access privileges for\nstaff who leave the branch. During our fieldwork, a branch employee resigned, and we verified\nthat all of that employee\xe2\x80\x99s access privileges were promptly removed.\n\nFinally, we determined that branch supervisors work with LAN administrators to ensure that\nanalysts are provided access privileges only to the systems, programs, and data files needed to\nconduct their work. We reviewed directories on the servers used for development of the\nAdvance Retail Sales indicator and found that access privileges are assigned only to members of\nthe Retail and Wholesale Indicators Branch and to designated support staff from ESMPD. File\naccess controls afforded by the various operating systems provide the mechanisms for assigning\naccess privileges.\n\n\n                                                11\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-12754\nOffice of Inspector General                                                           September 2001\n\nC.\t    Application software change control is\n       informal and lacks documented procedures\n\nApplication software has been designed to support development of the Advance Retail Sales\neconomic indicator. This software consists of computer programs that have been developed by\nthe bureau, as well as commercially available applications for which specific scripts have been\nwritten, to facilitate the generation of intermediate and final versions of the indicator.\n\nEstablishing and enforcing procedures for modifying application software and related scripts\nprovides a level of assurance that only authorized programs and authorized changes are\nimplemented. This can be accomplished by instituting policies, procedures, and techniques that\nhelp ensure that all programs and program modifications are properly authorized, tested, and\napproved and that access to and distribution of programs are carefully controlled. Failure to\nimplement effective change control measures presents a risk that security features built into the\nsoftware could be inadvertently or deliberately circumvented or that unauthorized processing or\nmalicious code could be introduced.\n\nAlthough a process is in place for requesting changes to software used in the development of the\nAdvance Retail Sales indicator (as well as other indicators) and ESMPD staff are aware of it,\nthere are no written procedures for making the changes and performing and documenting\nappropriate tests on the modified software to ensure that only authorized changes are made. The\napplication software for Advance Retail Sales has not required significant changes in the past\nseveral years, and an ESMPD programmer/analyst has been assigned to work with the Retail and\nWholesale Indicators Branch to provide technical support and coordinate any necessary changes\nto the software. However, written procedures for application software change control are still\nneeded.\n\nA GAO report, Information Security: Controls Over Software Changes at Federal Agencies\n(GAO/AIMD-00-151R, May 4, 2000), underscores the general lack of effective software change\ncontrol within federal agencies, including the Department of Commerce. Appropriate guidance\nfor software change control within ESMPD needs to be developed, documented, and followed,\nparticularly with respect to applications used in the development of economic indicators.\n\n\n\n\n                                                12\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-12754\nOffice of Inspector General                                                           September 2001\n\nD.     Auditing software has not been\n       regularly used during lockup\n\nNovell\xe2\x80\x99s Netware operating system provides a feature to create audit logs that contain a record of\nall accesses by users and applications to files containing pre-release information for Advance\nRetail Sales and several other indicators on the server where actual indicator data and reports are\nstored. ESMPD had enabled this feature on the publication server and developed an application\nprogram to filter the logged data and provide an indication of any potential unauthorized attempts\nto access the pre-release data. Although branch managers and supervisors have received\ninstruction in the use of the application, they did not use it regularly to monitor resource access\nduring and immediately following the monthly lockups because it was a relatively recent and\nevolving product with no documentation providing instructions to users. ESMPD network\npersonnel had been using the application to scan the audit log files on the server during lockup to\nmonitor access to the indicator data.\n\nHowever, ESMPD has upgraded the operating system on this server to a new release of Netware,\nwhich will not provide audit logs in the format required by the audit application program. As a\nresult, ESMPD officials have told us that they plan to evaluate several commercially available\nprograms to replace the current audit application, install the selected program, and provide\nappropriate training for branch managers and supervisors who use the publication server. We\nsupport this effort and believe that ESMPD should provide written procedures to ensure that the\nselected audit program will be used properly by managers and supervisors during lockup.\n\nE.\t    Recommendations\n\nWe recommend that the Acting Director of the Census Bureau direct the Associate Director for\nEconomic Programs to:\n\n1.\t    Ensure that the directorate\xe2\x80\x99s Procedures for Internal Control of Economic Indicator Data\n       Prior to Press Release Time is modified to state explicitly that:\n\n       a.\t     Branch members are required to use only the controlled access door to enter and\n               exit the branch area during lockup, and branch chiefs are responsible for strictly\n               enforcing this requirement.\n\n       b.\t     A branch member is required to (1) accompany any visitors who are not\n               authorized access to sensitive indicator data but who require access to branch\n               spaces during lockup, and (2) preclude their access to the sensitive data.\n\n       The bureau has agreed with this recommendation and has agreed to provide us a copy\n       of the updated document for review.\n\n\n\n\n                                                13\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-12754\nOffice of Inspector General                                                           September 2001\n\n2. \t   Ensure that branch members are aware of the requirements to use only the controlled\n       access door during lockup and to accompany visitors not authorized to access sensitive\n       indicator data.\n\n       The bureau has agreed with this recommendation. The Economic Directorate held a\n       meeting with branch staff to re-emphasize these requirements and posted appropriate\n       signs on the inside of every door in the lockup area.\n\n3. \t   Ensure that procedures for software change control are developed according to bureau\n       and Department guidance and that they are followed, particularly with respect to\n       applications used in the development of economic indicators.\n\n       The bureau has agreed with this recommendation. The Economic Directorate\n       developed a document titled \xe2\x80\x9cEconomic Directorate Current Surveys Change Control\n       Model\xe2\x80\x9d and provided us a copy.\n\n4. \t   Ensure that a commercially available audit application is selected and installed as soon as\n       possible and that written procedures are prepared and training on its use is provided.\n\n       The bureau has agreed with this recommendation and is exploring off-the-shelf\n       software options. The bureau noted that until it finds an appropriate product, it will\n       continue to use the existing software and monitor its output regularly.\n\n\n\n\n                                               14\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-12754\nOffice of Inspector General                                                            September 2001\n\nII.     Management Controls Over Personnel Security Need to Be Strengthened\n\nCensus Bureau employees who participate in the development of Principal Federal Economic\nIndicators, including the Advance Retail Sales indicator, as well as ESA employees who coordinate\nthe release of these indicators, have advance knowledge of sensitive economic data that could\naffect or predict financial market activity. These employees could potentially profit from\nspeculative market investments based on this advance knowledge. For Advance Retail Sales,\nemployees know the final indicator values for up to a day and a half before its release to the public.\nThe ESA employees who coordinate the release of all the Department\xe2\x80\x99s principal economic\nindicators via the lockup facility have access to final indicator data 15 minutes before the lockup\nbegins. Consequently, the government needs to take measures to ensure that these employees are\nsuitable for such positions of public trust.\n\nIn 1991, the Office of Personnel Management (OPM) issued Appendix A to 731 Subchapter 5 of\nthe Federal Personnel Manual (FPM). This appendix provides guidance and criteria for classifying\npositions of public trust, such as those dealing with development of Principal Federal Economic\nIndicators, as high, moderate, or low risk. It also specifies the type of background investigation\nappropriate for each of the risk levels. However, the FPM was abolished in December 1993.\n\nSince then, the bureau has developed its own guidance and criteria, which are consistent with\nAppendix A, and published them as chapter S-8 in the Census Administrative Manual. Chapter S-8\nstates that the immediate supervisor or manager having responsibility for a position has primary\nresponsibility for designating the position\xe2\x80\x99s risk level. The current version of chapter S-8 was\nsigned by the bureau director in December 1996. Tables 1 and 2 provide summary information\nfrom chapter S-8. Table 1 provides representative criteria for classifying positions as high,\nmoderate, and low risk and indicates the corresponding type of investigation appropriate for each\nlevel of risk. Table 2 describes the types of investigation associated with the risk levels.\n\nOn December 28, 2000, OPM published in the Federal Register revised regulations concerning the\nclassification of positions based on risk level and the associated background investigation\nrequirements. These regulations, found at 5 Code of Federal Regulations Part 731, became\neffective on March 30, 2001; however, they do not provide details, such as those provided by FPM\nAppendix A, for classifying position risk levels and do not identify background investigation\nrequirements for the various risk levels. Rather than including these details in the regulations,\nOPM has decided to offer federal agencies training on classifying position risk levels and\ndetermining appropriate background investigations. OPM\xe2\x80\x99s Federal Investigations Notice No. 01\n08, dated March 19, 2001, provides details about the available training.\n\nAdditionally, because of the abolishment of the FPM, the regulation includes a section outlining\nOPM\xe2\x80\x99s and agencies\xe2\x80\x99 responsibilities for personnel security associated with the design, operation,\nand use of federal automated information systems, as required by OMB Circular A-130 (1996\nversion) and the Computer Security Act.\n\n\n\n                                                 15\n\n\x0cU.S. Department of Commerce                                                     Final Inspection Report OSE-12754\n\nOffice of Inspector General                                                                        September 2001\n\n\n\n Table 1. Representative Risk Level Classification Criteria and Investigation Types\n          in Chapter S-8 of the Census Administrative Manual\n\n\n   Risk                       Representative Classification Criteria                               Type of\n   Level                        (Abbreviated from Chapter S-8)                                   Investigation\n    High      (1) Positions involving duties of clearly major importance to the Census           Background\n                  Bureau mission with major program responsibilities that affect the             Investigation\n                  efficiency of the government.                                                  (BI)\n\n              (2) Positions involving development or approval of plans, policies, or\n                  programs that affect the overall operations of the Census Bureau; that is,\n                  policymaking or policy-determining positions.\n\n              (3) Positions involving fiduciary, public contact, or other duties demanding\n                  the highest degree of public trust. This includes positions in the Senior\n                  Executive Service; GS-15 positions that clearly involve fiduciary, public\n                  contact, or other duties demanding the highest degree of public trust;\n                  positions involving foreign duty; positions involving investigative\n                  compliance, inspection, or auditing responsibilities, regardless of\n                  grade,\n\n              (4) Positions in which the incumbent is responsible for planning, directing,\n                  and implementing a computer security program,\n\n              (5)   Positions designated by the Director or a field office director.\n\n  Moderate    (1) Positions involving duties of considerable importance to the Census            Minimum\n                  Bureau mission with significant program responsibilities that affect the       Background\n                  efficiency of the government.                                                  Investigation\n                                                                                                 (MBI)\n              (2)    Positions involving duties that demand a high degree of confidence and\n                    trust.\n\n              (3)    Positions for which the incumbent is responsible for directing, planning,\n                    designing, operating, or maintaining a computer system, and whose work\n                    is technically reviewed by a higher authority at the Critical Sensitive or\n                    High Risk level to ensure the integrity of the system.\n\n    Low       A position that does not fall into a higher sensitivity level.                     National Agency\n                                                                                                 Check with\n                                                                                                 Inquiry (NACI)\n\n Note: FPM Appendix A recommends that moderate risk positions undergo either an MBI or, preferably, a\n Limited Background Investigation, which is a more extensive investigation than the MBI.\n\n\n\n\n                                                         16\n\n\x0cU.S. Department of Commerce                                                Final Inspection Report OSE-12754\n\nOffice of Inspector General                                                                   September 2001\n\n\n\n Table 2. Description of Types of Investigations Associated With Risk Levels\n          in Chapter S-8 of the Census Administrative Manual\n   Risk        Type of\n   Level     Investigation                                      Description\n    High     Background        Consists of a subject interview, written inquiries, record searches, a credit\n             Investigation     check, and personal interviews with selected sources covering specific areas of\n                               a subject\xe2\x80\x99s background up to the past five years.\n\n  Moderate   Minimum           Consists of a subject interview, written inquiries, record searches, a credit\n             Background        check, and a law enforcement check covering the most recent five-year period.\n             Investigation\n\n\n             Limited           Consists of a subject interview, personal interviews with selected sources\n             Background        covering specific areas of a subject\xe2\x80\x99s background during the past three years,\n             Investigation     written inquiries, record searches, and a credit check.\n\n    Low      National Agency   Consists of record searches of national, state, and local law enforcement and\n             Check with        investigative indices, as well as written inquiries and record searches covering\n             Inquiry           specific areas of a subject\xe2\x80\x99s background during the past five years.\n\n\n\nAlthough guidance has been available, the bureau has not ensured that appropriate background\ninvestigations for employees dealing with the Advance Retail Sales indicator have been\ncompleted and has not assigned appropriate levels of risk to positions held by these employees.\nSimilarly, ESA has not verified that employees who coordinate the release of principal economic\nindicators have undergone appropriate background investigations.\n\nUsing guidance from the Department\xe2\x80\x99s Office of Human Resources Management, human\nresources personnel in Commerce bureaus are responsible for working with management to\ndetermine the risk level for each position. For low and moderate risk positions, human resources\npersonnel are responsible for requesting the appropriate background investigation from OPM.\nFor high risk positions, human resources personnel are responsible for providing background\ninformation to the Office of Security, which is then responsible for requesting the appropriate\nbackground investigation from OPM. In our efforts to identify the criteria that are used to\ndetermine appropriate risk levels and their associated background investigations, we noted a lack\nof guidance from the Office of Human Resources Management and the Office of Security,\nsuggesting that the issue of appropriate risk levels and background investigations may exist\nelsewhere in Commerce. We have addressed this issue in our report, Program for Designating\nPositions According to Their Risk and Sensitivity Needs to Be Updated and Strengthened, Draft\nInspection Report No. OSE-14486/August 2001, which includes recommendations for the\nDepartment to provide to operating units updated guidance for determining appropriate risk\nlevels and their associated background investigations. The Department\xe2\x80\x99s Office of Security and\n\n\n                                                    17\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-12754\nOffice of Inspector General                                                           September 2001\n\nOffice of Human Resources Management have agreed to provide updated guidance; thus, the\nbureau\xe2\x80\x99s Human Resources Division needs to ensure that their efforts to implement our\nrecommendations are consistent with the Department\xe2\x80\x99s forthcoming guidance.\n\nFinally, ESA has not provided employees having pre-release access to economic indicator data\nwith guidance concerning legal and ethical restrictions on market investments based on advance\nknowledge.\n\nA.\t    Employees have not had appropriate\n       background investigations\n\nWe reviewed the types of background investigations that were done for 27 bureau employees\nregularly involved in the development of the Advance Retail Sales indicator. Three were\nemployees of the ESMPD, and 24 were employees of the Service Sector Statistics Division\n(SSSD). Twenty-two employees held positions classified as low risk, three held positions\nclassified as moderate risk, and two held positions classified as high risk. Bureau guidance\nspecifies that low risk positions should be subject to a National Agency Check with Inquiry\n(NACI), moderate risk positions to a Minimum Background Investigation (MBI), and high risk\npositions to a Background Investigation (BI). This is consistent with OPM guidance, which\nstates that moderate risk positions could be subject to either an MBI or Limited Background\nInvestigation.\n\nFor the 22 low risk positions, six employees had undergone the specified NACI; however,\nrecords provided by the Department\xe2\x80\x99s Office of Security could not identify the type of\ninvestigation done, if any, for the remaining 16. For the three moderate risk positions, two\nemployees had received only an NACI and the other the required MBI. Both employees filling\nthe high risk positions had undergone the required BI.\n\nWe also reviewed the types of background investigations done for another 169 employees of\nSSSD and found that 47 had no record of any investigation having been done. Furthermore, we\nfound that for another 216 employees of ESMPD, 87 had no record of any investigation having\nbeen done.\n\nIn addition, we noted that two persons designated as alternate ESA lockup directors fill positions\nclassified as equivalent to moderate risk, but have not undergone background investigations\ncorresponding to the MBI.\n\nAs a result of our analysis, we conclude that management controls need to be strengthened to\nensure that appropriate background investigations are completed for all employees within the\nEconomic Directorate and for the ESA employees who coordinate the ESA lockup.\n\n\n\n\n                                                18\n\n\x0cU.S. Department of Commerce                                         Final Inspection Report OSE-12754\nOffice of Inspector General                                                            September 2001\n\nB.\t    Risk levels for positions have not been properly assigned\n\nWe also found that risk levels assigned to positions held by some SSSD and ESMPD employees\ninvolved in developing the Advance Retail Sales indicator are inconsistent with the levels of\nresponsibility and trust associated with their positions. For example, 23 employees regularly\ninvolved in the development of the indicator have access to the final data for up to a day and a\nhalf before it is released to the public through the ESA press room. Of these employees, only the\nBranch Chief\xe2\x80\x99s position is classified as moderate risk; the remaining positions are classified as\nlow risk. This disparity in classification needs to be rectified, and these remaining positions\nshould be reclassified as moderate risk because of the sensitive nature of the final indicator data\nand the requirement to prevent its disclosure prior to official release to the public. Moreover, the\nmanagers within the Economic Directorate should review and appropriately adjust the risk levels\nassociated with all positions within the directorate.\n\nIn addition, the positions held by the ESA employees who coordinate the lockup have been\nclassified according to the sensitivity criteria for national security positions. However, they do\nnot handle national security information and should instead be classified according to the risk\ncriteria for public trust positions.\n\nC.\t    Guidance concerning legal and ethical\n       restrictions on market investments based\n       on advance knowledge is not adequate\n\nAll Census Bureau employees are required to sign a sworn statement that they will abide by the\ndata confidentiality requirements of Title 13 of the U.S. Code, which covers sensitive Census\ndata. Employees within the Economic Directorate are regularly provided verbal and written\nreminders about the proper handling of data that is afforded protection from unauthorized\ndisclosure and improper use by Title 13. Also, the bureau requires all new employees to attend a\none-hour ethics briefing. Furthermore, Economic Directorate employees who are involved with\neconomic indicators are provided a verbal semiannual reminder by their supervisor during\nperformance reviews about the need to protect pre-release economic indicator data from public\ndisclosure. However, these employees and other ESA employees who have access to pre-release\nindicator data are not provided written guidance that explains the ethical restrictions on investing\nin financial markets based on advance information that is not available to the public. The\nStandards of Ethical Conduct for Employees in the Executive Branch, 5 CFR Part 2635, contains\nsection 703, Use of Nonpublic Information, which prohibits employee use of nonpublic data.\nThis section also notes that, in addition to violations of this section, certain employee use of\nnonpublic information could also violate federal securities laws.\n\nThe Bureau of Labor Statistics (BLS), which also develops Principal Federal Economic\nIndicators, has issued Commissioner\xe2\x80\x99s Order No. 1-00 to provide guidance on how the Standards\nof Ethical Conduct for Employees in the Executive Branch apply to employees making financial\n\n\n                                                 19\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-12754\nOffice of Inspector General                                                           September 2001\n\ntransactions with knowledge of BLS embargoed data. The order defines embargoed data as pre\nrelease economic series data for the Principal Federal Economic Indicators produced by BLS, and\nspecifically states that the standards prohibit employees who have access to embargoed data from\nusing the data for private gain or allowing others to do so. It further states that employees may\nnot take actions that could create an appearance that they are using nonpublic government\ninformation for private gain.\n\nAdditional guidance is given to help ensure that market investments made by such employees\ncan in fact be made without violating or appearing to violate an ethical standard. For example,\nthe order states that if an individual owns shares in a mutual fund, but does not participate in or\nreceive advance knowledge of decisions regarding its portfolio, there would be no appearance of\nan ethics violation if transactions affecting the fund occurred while the individual has knowledge\nof embargoed data.\n\nThis order contains the type of specific guidance that should be provided to Economic\nDirectorate employees who are involved in the development of economic indicators and to all\nESA employees who have access to pre-release indicator data.\n\nThe Commissioner\xe2\x80\x99s Order is included as Appendix B.\n\nD.\t    Recommendations\n\nWe recommend that the Acting Director of the Census Bureau direct the Director of the bureau\xe2\x80\x99s\nHuman Resources Division to:\n\n1.\t    Require division personnel responsible for position sensitivity classification to attend\n       training classes described in OPM Federal Investigations Notice No. 01-08, March 19,\n       2001, to obtain an understanding of 5 CFR 731 risk classification and investigation\n       requirements.\n\n       The bureau has agreed with this recommendation. The bureau\xe2\x80\x99s Human Resources\n       Division will schedule appropriate training for its specialists.\n\n2.\t    Develop written guidance that reflects the position risk level classification and\n       investigation requirements taught in the training classes mentioned above and distribute it\n       to bureau managers so they can classify position sensitivity appropriately.\n\n       The bureau has agreed with this recommendation. Human Resources Division\n       specialists will develop the written guidance in conjunction with security personnel\n       after attending training classes.\n\n\n\n\n                                                20\n\n\x0cU.S. Department of Commerce                                        Final Inspection Report OSE-12754\nOffice of Inspector General                                                           September 2001\n\nWe recommend that the Acting Director of the Census Bureau direct the Associate Director for\nEconomic Programs to:\n\n3.\t    Reassess the position sensitivity codes for all employees to ensure that they reflect the\n       appropriate risk designations based on the level of responsibility and trust associated with\n       each position in accordance with guidance from the bureau\xe2\x80\x99s Human Resources Division.\n\n       The bureau has agreed with this recommendation. However, the bureau has indicated\n       that positions held by all personnel working on indicator surveys will be designated as\n       moderate risk, based on discussions with us. These discussions did not intend to\n       convey that positions held by all personnel working on indicator surveys should be\n       designated as moderate risk. Rather, we stated that those persons having access to the\n       same information available to the branch chief should have positions designated at the\n       same moderate risk level as the branch chief rather than low risk as currently\n       designated. Some positions for personnel working on indicator surveys are currently\n       designated as high risk, and other positions may also warrant a high risk designation.\n       We reaffirm that risk designations should be based on the level of responsibility and\n       trust associated with each position in accordance with guidance from the bureau\xe2\x80\x99s\n       Human Resources Division.\n\n4.\t    Ensure that appropriate background investigations have been completed for all\n       employees.\n\n       The bureau has agreed with this recommendation. However, the bureau\xe2\x80\x99s response\n       notes that roles and responsibilities of human resources, security, and management\n       with respect to risk designation and background investigations are not clearly defined\n       and understood. Our report, Program for Designating Positions According to Their\n       Risk and Sensitivity Needs to Be Updated and Strengthened, Draft Inspection Report\n       No. OSE-14486/August 2001, recommends that the Department provide to operating\n       units clear definitions of roles and responsibilities of human resources, security, and\n       management with respect to risk designation and background investigations. Thus,\n       roles and responsibilities for risk designation and background investigations should be\n       made clear by forthcoming Department guidance.\n\nWe recommend that the Under Secretary for Economic Affairs:\n\n5.\t    Ensure that the position sensitivity codes for ESA employees who coordinate the release\n       of economic indicators via the ESA lockup reflect appropriate risk designations rather\n       than national security sensitivity levels currently assigned, and that background\n       investigations appropriate for the risk levels are conducted.\n\n\n\n\n                                                21\n\n\x0cU.S. Department of Commerce                                     Final Inspection Report OSE-12754\n\nOffice of Inspector General                                                        September 2001\n\n\n       ESA has agreed to work with the Office of Security and the bureau\xe2\x80\x99s Human\n       Resources Division, which provides human resources support to ESA, to comply with\n       this recommendation.\n\n6.\t    Request assistance from the Office of General Counsel\xe2\x80\x99s Ethics Division, and develop\n       specific written guidance on how federal securities laws and the Standards of Ethical\n       Conduct for Employees in the Executive Branch restrict employees\xe2\x80\x99 ability to engage in\n       certain financial transactions with knowledge of pre-release economic indicator data.\n\n       The bureau has agreed with this recommendation and has issued written guidance for\n       indicator staff on how the Standards of Ethical Conduct apply to employees making\n       financial transactions with knowledge of Census Bureau Principal Economic\n       Indicator data prior to public release.\n\n\n\n\n                                              22\n\n\x0c                                                                                               APPENDIX A\n\n\n    Purpose and Critical Elements of Major Categories of FISCAM General Controls\nEntity-wide Security Planning and Program Management\n\nPurpose           Provides a framework and continuing cycle of activity for managing risk, developing security\n                  policies, assigning responsibilities, and monitoring the adequacy of the entity\xe2\x80\x99s\n                  computer-related controls\n\nCritical          Periodically assess risks\nElements          Document an entity-wide security program\n                  Establish a security management structure and assign security responsibilities\n                  Implement effective security-related personnel policies\n                  Monitor the security program\xe2\x80\x99s effectiveness and make changes as needed\n\nAccess Controls\n\nPurpose           Limit or detect access to computer resources (data, programs, equipment, and facilities),\n                  thereby protecting these resources against unauthorized modification, loss, and disclosure\n\nCritical          Classify information resources according to their criticality and sensitivity\nElements          Maintain a current list of authorized users and their access authorized\n                  Establish physical and logical controls to prevent or detect unauthorized access\n                  Monitor access, investigate apparent security violations, and take appropriate remedial action\n\nApplication Software Development and Change Controls\n\nPurpose           Prevent unauthorized programs or modifications to an existing program from being\n                  implemented\n\nCritical          Ensure that processing features and program modifications are properly authorized\nElements          Test and approve all new and revised software\n                  Control software libraries\n\nSystem Software\n\nPurpose           Limit and monitor access to the powerful programs and sensitive files that (1) control the\n                  computer hardware and (2) secure applications supported by the system\n\nCritical          Limit access to system software\nElements          Monitor access to and use of system software\n                  Control system software changes\n\nSegregation of Duties\n\nPurpose           Establish policies, procedures, and an organizational structure so that one individual cannot\n                  control key aspects of computer-related operations and thereby conduct unauthorized\n                  actions or gain unauthorized access to assets or records\n\nCritical          Segregate incompatible duties and establish related policies\nElements          Establish controls to enforce segregation of duties\n                  Control personnel activities through formal operating procedures and supervision and review\n\n\n\n\n                                                    A-1\n\n\x0c    Purpose and Critical Elements of Major Categories of FISCAM General Controls\n                                     (Continued)\nService Continuity\n\nPurpose              Ensure that when unexpected events occur, critical operations continue without interruption\n                     or are promptly resumed and critical and sensitive data are protected\n\nCritical             Assess the criticality and sensitivity of computerized operations and identify supporting\nElements             resources\n                     Take steps to prevent and minimize potential damage and interruption\n                     Develop and document a comprehensive contingency plan\n                     Periodically test the contingency plan and adjust it as appropriate\n\n\n\n\n                                                        A-2\n\n\x0cB-1\n\n\x0cB-2\n\n\x0cB-3\n\n\x0c\x0c\x0c\x0c\x0c\x0c'